title: Secure development in C/C++
audience: senior/medior developers, lead devs, testers and security champions
duration: 1 or 2 days (7 or 12 hrs education time), depending on the actual kit of topics applicable/required (see Agenda below)
developed by: Marek Zachara
We assume that the developers attending the secdev course:
are familiar with the C/C++ language, can compile and execute the programs
specific focus of the course (see below) may result in additional prerequisites
DIY code and ASVS audit
Due to the variety of applications, ranging from embedded to large scale deployments, real-time and critical systems that are built in C/C++, we recommend to tailor the training for the specific needs of the particular development team.
The list of modules below illustrate the scope to choose from, however the exact scope and detail level is pre-arranged to suit the specific needs of the attendees.
Defense in depth principles
Standards and practices
Various types of weaknesses and vulnerabilities
Security by design
String formatting issues
Array and string indexing
Secure memory handling
Removal of sensitive data
Unsafe type casts and conversions
Symmetric and asymmetric encryption
Deadlocks, starvation, etc.
Accessing external resources
Automated analysis with existing tools
Safe and unsafe APIs
Module isolation, wrappers, etc.